In theory, the master password is never supposed to leave your device even with the cloud-based password managers. So, yes, you're trusting that their clients do what they say they do, and I suppose an attacker could hijack the client and offload your password.
That said, the same risk applies to any client you use. Someone could have compromised the latest update of KeePassX as readily as they can compromise LastPass's client. If you don't have automatic updates then that's helpful, but I'm not sure it's producing enough security to be worth the extra hassle.
Having to do it while updating narrows the window of opportunity for sure, but I don't think KeePassX is a more secure target than Dropbox or Bitwarden.
They don't have to get bad code into an MR (though that's one option), they could compromise the website and have it distribute a different binary. If you build it from source you're safe against that, but are you really building it from source?
Also, remember that the same logic applies to Bitwarden: they need the master password and therefore must compromise the client during the window where you update it.
That said, the same risk applies to any client you use. Someone could have compromised the latest update of KeePassX as readily as they can compromise LastPass's client. If you don't have automatic updates then that's helpful, but I'm not sure it's producing enough security to be worth the extra hassle.